|
Posted by PacMan on December 2, 2006, 7:45 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hi there,
I seem to have almost continuous activity going on, Internet-wise.
Zone Alarm informs me that this is generic host processes for Win32.
My question is: is this innocent communication between the computer
and the ADSL modem, or is there some Trojan which has fooled Zone
Alarm into thinking it's a legitimate process?
In addition to the products below, I also recently installed and
updated the free version of AVG, which also found nothing to report.
Am I just being paranoid, or do I have something to worry about?
I have Spybot Search and Destroy, resident enabled. I have Java Cools
Prerelease installed.
I'm running Zone Alarm Security Suite 6.5.737.000, Anti Virus Vet
engine 11.91.1.000 DAT version 11.9.10088.000, antispyware engine
5.0.83.0 DAT version 01.200612.585
Computer is Windows XP SP 2, automatic updates configured to tell me
whether I need to download and install.
I use an old version of MS Outlook for mail, Fire Fox 1.5.0.8 and
Internet Explorer 6.0.2900.2180.xpsp_sp2_gdr.050301-1519IS.
--
PacMan
"Laugh, and the world laughs with you,
snore and you sleep alone"
- Anthony Burgess
|
|
Posted by Mr. Arnold6 on December 2, 2006, 8:28 am
If you were Registered and logged in, you could reply and use other advanced thread options
PacMan wrote:
> Hi there,
>
> I seem to have almost continuous activity going on, Internet-wise.
> Zone Alarm informs me that this is generic host processes for Win32.
ZA, oh Lord :(
>
> My question is: is this innocent communication between the computer
> and the ADSL modem, or is there some Trojan which has fooled Zone
> Alarm into thinking it's a legitimate process?
What is svchost.exe (generic host processes for Win32), which is the
messenger for the O/S programs and other non O/S programs to allow
communications, trying to connect to IP wise? Svchost.exe does nothing
on its own. It does it on the behalf of other programs that want to
communicate to the Internet WAN - Wide Area Network or with other
machines in a LAN, Local Area Network, situation. There can be several
svchost.exe(s) running too.
If svchost.exe is not running out of c:\windows\system32, then it's a
Trojan.
>
> In addition to the products below, I also recently installed and
> updated the free version of AVG, which also found nothing to report.
>
> Am I just being paranoid, or do I have something to worry about?
I can't say you're being paranoid, but you may be over reacting,
possibly. However, malware can use svchost.exe on its behalf to
communicate as well. So you always must be aware of what svchost.exe is
connecting to and who is doing the asking.
None of the solutions you're talking about can really tell you what's
happening on the machine, and those solutions can be defeated by malware.
You have got to look for yourself from time to time with tools that are
going to allow you to *look*, for yourself.
The tools in the link will allow you to look and they are (free).
Long
http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html
Short
http://tinyurl.com/klw1
For a machine that has a driect connection to the modem, then you should
try to harden the XP O/S to attack as much as possible, like remove
Client for MS Network and MS File and Print Sharing off of the NIC or
dial-up connection. You have no need to be in any networking situation
with a computer that has a direct connection to the modem, with the
computer having a direct connection to the Internet, none period.
There are other things in the link you can do as well to harden the NT
based O/S to attack.
http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm
|
|
Posted by PacMan on December 3, 2006, 12:11 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Arnold6 of the dreaded EarthLink Inc. -- http://www.EarthLink.net was
struck by a sudden insight:
>PacMan wrote:
>> Hi there,
>>
>> I seem to have almost continuous activity going on, Internet-wise.
>> Zone Alarm informs me that this is generic host processes for Win32.
>
>ZA, oh Lord :(
There's something I should know?
[..]
>If svchost.exe is not running out of c:\windows\system32, then it's a
>Trojan.
Running out of correct location, up to 3 instances operational.
[..]
>You have got to look for yourself from time to time with tools that are
>going to allow you to *look*, for yourself.
>
>The tools in the link will allow you to look and they are (free).
[..]
Thanks for the links: appreciated. I didn't find any that were free
when they discovered an infection though.
Oh well, Spyware Doctor has removed Ranky, which Symantec claims is a
very low risk, and few infections discovered in the wild.
ObZoneAlarm: I changed from Norton since Norton Internet Security
seemed to slow certain things down significantly. Perhaps I should
change back? Or go Kaspersky?
--
PacMan
"I love being married. It's so great to find that one special
person you want to annoy for the rest of your life" - Rita Rudner
|
|
Posted by Mr. Arnold6 on December 3, 2006, 12:28 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> It was round about Sat, 02 Dec 2006 13:28:47 GMT,, when the famed Mr.
> Arnold6 of the dreaded EarthLink Inc. -- http://www.EarthLink.net was
> struck by a sudden insight:
>
>
>>PacMan wrote:
>>
>>>Hi there,
>>>
>>>I seem to have almost continuous activity going on, Internet-wise.
>>>Zone Alarm informs me that this is generic host processes for Win32.
>>
>>ZA, oh Lord :(
>
>
> There's something I should know?
Don't count on ZA too much
>
> [..]
>
>>If svchost.exe is not running out of c:\windows\system32, then it's a
>>Trojan.
>
>
> Running out of correct location, up to 3 instances operational.
>
> [..]
>
>>You have got to look for yourself from time to time with tools that are
>>going to allow you to *look*, for yourself.
>>
>>The tools in the link will allow you to look and they are (free).
>
>
> [..]
>
> Thanks for the links: appreciated. I didn't find any that were free
> when they discovered an infection though.
The point is they can miss a whole lot of things, which you should look
around for yourself and not depend totally on such solutions, with the
tools in the link. You do the determination and detection from time to time.
|
|
Posted by Falcon on December 2, 2006, 11:32 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Hi there,
>
> I seem to have almost continuous activity going on, Internet-wise.
> Zone Alarm informs me that this is generic host processes for Win32.
>
> My question is: is this innocent communication between the computer
> and the ADSL modem, or is there some Trojan which has fooled Zone
> Alarm into thinking it's a legitimate process?
Process explorer will tell you much more than the default windows task
manager about what each process, including each instance of svchost.exe, is
doing.
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx
--
Falcon:
fide, sed cui vide. (L)
|
| Similar Threads | Posted | | Generic Host Process for Win32 Services. | September 26, 2005, 12:37 pm |
| Win32:Host-C is bugging me | April 30, 2006, 1:44 am |
| Win32 services | July 10, 2005, 9:53 am |
| What is name of running process for AVG, please? | June 1, 2008, 10:05 pm |
| Is process "15dee891.exe" a virus? | September 3, 2005, 11:21 am |
| Re: fourq.host.sk is down! | May 31, 2007, 2:36 am |
| Virus that corrupts process names | December 4, 2005, 11:19 pm |
| Looking for a good host file, but not ads | July 27, 2008, 8:00 pm |
| microsoft windows search protocol host | December 19, 2008, 2:38 am |
| Are there other services like virustotal.com anywhere? | February 7, 2006, 9:27 pm |
|
XML site map